Project:
Date:
2021-May-26
Vulnerability:
Cross Site Scripting
Description:
Drupal core uses the third-party CKEditor library. This library has an error in parsing HTML that could lead to an XSS attack.
Solution:
Install the latest version:
- If you are using Drupal 9.1, update to Drupal 9.1.9.
- If you are using Drupal 9.0, update to Drupal 9.0.14.
- If you are using Drupal 8.9, update to Drupal 8.9.16.
Versions of Drupal 8 prior to 8.9.x are end-of-life and do not receive security coverage.
Reported By:
Fixed By:
- Greg Knaddison of the Drupal Security Team
- Jess of the Drupal Security Team
- Krzysztof Krzton
- Lee Rowlands of the Drupal Security Team
- Michael Hess of the Drupal Security Team